https://live.paloaltonetworks.com/t5/general-topics/secure-connection-for-firewall-web-gui/m-p/444026#M100285 <P>Hello,</P><P>I want to make a secure connection for the firewall GUI access. therefore I perform the below task:-</P><P>&nbsp;</P><P>I imported the wildcard certificate in the firewall and the same certificate attached in SSL/TLS profile ( This is 3rd party certificate get by DigiCert).</P><P>Then the SSL/TLS profile is configured for management settings.</P><P>for troubleshooting purposes, i imported the certificate into the client machine as well.</P><P>&nbsp;</P><P>I did the above configuration and access to the firewall with a different browser like&nbsp; - IE, chrome, edge, firefox but all browser is showing the connection is not secure.</P><P>&nbsp;</P><P>I have two doubts:-</P><P>&nbsp;</P><P>&nbsp;1- My wild certificate name is <STRONG>abc.com.jk</STRONG> which resolves my internal DNS <STRONG>10.10.10.10</STRONG> and my management IP address is <STRONG>192.168.1.1</STRONG> - Anything wrong with this or it is correct?</P><P>&nbsp;</P><P>2 - I noticed that the certificate that I received from DigiCert its not a CA below is the image for reference- <STRONG>The Certificate should be the CA to make a secure connection?<BR /></STRONG></P><P>&nbsp;</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Jafar_Hussain_0-1635421220462.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/37313i5B2FD98E98E5A244/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="Jafar_Hussain_0-1635421220462.png" alt="Jafar_Hussain_0-1635421220462.png" /></span></P><P>&nbsp;</P><P>can anyone have suggestions on this?</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 28 Oct 2021 11:43:03 GMT Jafar_Hussain 2021-10-28T11:43:03Z https://live.paloaltonetworks.com/t5/general-topics/secure-connection-for-firewall-web-gui/m-p/444026#M100285 <P>Hello,</P><P>I want to make a secure connection for the firewall GUI access. therefore I perform the below task:-</P><P>&nbsp;</P><P>I imported the wildcard certificate in the firewall and the same certificate attached in SSL/TLS profile ( This is 3rd party certificate get by DigiCert).</P><P>Then the SSL/TLS profile is configured for management settings.</P><P>for troubleshooting purposes, i imported the certificate into the client machine as well.</P><P>&nbsp;</P><P>I did the above configuration and access to the firewall with a different browser like&nbsp; - IE, chrome, edge, firefox but all browser is showing the connection is not secure.</P><P>&nbsp;</P><P>I have two doubts:-</P><P>&nbsp;</P><P>&nbsp;1- My wild certificate name is <STRONG>abc.com.jk</STRONG> which resolves my internal DNS <STRONG>10.10.10.10</STRONG> and my management IP address is <STRONG>192.168.1.1</STRONG> - Anything wrong with this or it is correct?</P><P>&nbsp;</P><P>2 - I noticed that the certificate that I received from DigiCert its not a CA below is the image for reference- <STRONG>The Certificate should be the CA to make a secure connection?<BR /></STRONG></P><P>&nbsp;</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Jafar_Hussain_0-1635421220462.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/37313i5B2FD98E98E5A244/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="Jafar_Hussain_0-1635421220462.png" alt="Jafar_Hussain_0-1635421220462.png" /></span></P><P>&nbsp;</P><P>can anyone have suggestions on this?</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 28 Oct 2021 11:43:03 GMT https://live.paloaltonetworks.com/t5/general-topics/secure-connection-for-firewall-web-gui/m-p/444026#M100285 Jafar_Hussain 2021-10-28T11:43:03Z https://live.paloaltonetworks.com/t5/general-topics/secure-connection-for-firewall-web-gui/m-p/444142#M100301 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/124013">@Jafar_Hussain</a>&nbsp;</P> <P>&nbsp;</P> <P>Certificate warning could be caused by couple of reasons. It will be usefull to see the exact error that browser return - it should point you in correct direction. It could be either the issuer is not trusted, the address you use in the URL is not matching what is in the certificate, etc.</P> <P>&nbsp;</P> <P>But I want to make some clarifications as it seems you make some wrong assumptions:</P> <P>- Certificate Authority (CA) certificate is need to validate the server certificate that server provide to you when you connect to it. In your case firewall is acting as server (because its web interface is actually a web server). Which means that your firewall needs a server certificate and the corresponding private key with it.</P> <P>- You don't have to import that certificate to the browser cert store. Again this certificate is the server cert that FW will send to you when you try to connect to it, in oder to validate its identity to you. So you need to know how to trust this information, which is the purpose of the CA. You what you need is the CA that has signed the server (firewall) cert to be in your browser Trusted Publisher/Root CA certificate store. Looking at your screenshot it seems you use public CA, that should already be trusted by all browsers.</P> <P>- I am bit confuse, because you said you use <U>wildcard certificate</U> while you said the "wild certificate name is <STRONG>abc.com.jk</STRONG>" Wildcard certificate should include a start "*" at the begining , like <STRONG>*.com.jk. </STRONG>Can you explain a bit more what you ment as it possible that this is your reason for ssl warning</P> Thu, 28 Oct 2021 17:20:34 GMT https://live.paloaltonetworks.com/t5/general-topics/secure-connection-for-firewall-web-gui/m-p/444142#M100301 aleksandar.astardzhiev 2021-10-28T17:20:34Z https://live.paloaltonetworks.com/t5/general-topics/secure-connection-for-firewall-web-gui/m-p/444558#M100362 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/70130">@aleksandar.astardzhiev</a>&nbsp;</P><P>&nbsp;</P><P>We import wild card certificate *.abc.com.jk.</P><P>one more test I did, I generate a self-sign certificate and attached in SSL /TLS profile then the same SSL/TLS profile configure for the Management Interface.</P><P>Then i found the login page was secure but i don't want to use the self-sign certificate. i want to use a 3rd party certificate but not able to find the cause of this issue.</P><P>&nbsp;</P><P>Regards,</P><P>Jafar Hussain</P> Sun, 31 Oct 2021 12:39:21 GMT https://live.paloaltonetworks.com/t5/general-topics/secure-connection-for-firewall-web-gui/m-p/444558#M100362 Jafar_Hussain 2021-10-31T12:39:21Z https://live.paloaltonetworks.com/t5/general-topics/secure-connection-for-firewall-web-gui/m-p/444560#M100363 <P>Hey&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/124013">@Jafar_Hussain</a>&nbsp;,</P> <P>&nbsp;</P> <P>If using self-signed certificate works without issues, I am guessing you are applying the correct steps.</P> <P>I am starting to believe that you have troubles with the "multilevel" wildcard certificate. This means that:</P> <P>- I you have wildcard for *.abc.com.jk, this certificate is valid for any host, but only for that level:</P> <P>- examples of hostnames from same level are: firewall.abc.com.jk, test.abc.com.jk, vpn.abc.com.jk</P> <P>- example of hostnames that will are not part of this sub-domain, and will give ssl error: west.firewall.abc.com.jk, abc.com.jk, zzz.com.jk, firewall.com.jk</P> <P>&nbsp;</P> <P>If you certificate is *.abc.com.jk, what is the hostname you use for the fw mgmt? also - when you try to access the mgmt interface, are using the IP address or the FQDN in the web browsers addressbar?</P> <P>&nbsp;</P> Sun, 31 Oct 2021 13:03:52 GMT https://live.paloaltonetworks.com/t5/general-topics/secure-connection-for-firewall-web-gui/m-p/444560#M100363 aleksandar.astardzhiev 2021-10-31T13:03:52Z